How to respond to a suspected HIPAA breach

If a healthcare organization suspects a HIPAA breach, it must promptly conduct an investigation to identify the specifics and scope of the incident. Secure the compromised data to prevent further access, evaluate the need for notification to affected individuals and the Department of Health and Human Services (HHS) based on HIPAA rules, and implement corrective actions such as improving security protocols and staff training to prevent future breaches.

Understanding a HIPAA breach

A HIPAA breach involves unauthorized access to or disclosure of PHI. That includes any individually identifiable health information about a person’s health condition, treatment, or payment for healthcare. Common examples of breaches include unauthorized access by an employee, cyberattacks, hacking, phishing incidents, loss or theft of devices containing unencrypted PHI, improper disposal of PHI, and misdirected communications containing PHI. According to Definitive Healthcare, "As of the end of February 2024, the number of healthcare data breaches for the year was already nearly 100.".

Related: Is there a difference between a HIPAA violation and a HIPAA breach?

The importance of taking action

Taking swift action helps protect patient privacy, comply with legal and regulatory requirements, avoid potential penalties, and mitigate harm to affected individuals. The HIPAA Breach Notification Rule requires that covered entities notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media when a breach occurs.

How to respond to a suspected breach

1. Conduct an investigation

Determine the specifics of what happened, including the date and time of the breach. Describe how you discovered the breach, whether through routine monitoring, an audit, or a report from a third party. Next, assess the scope by identifying the systems, devices, or records affected and quantify the amount of PHI involved, noting if it includes sensitive information like Social Security numbers or health diagnoses. Finally, determine the affected individuals and assess the potential impact on these individuals, including risks of identity theft or privacy invasion.

2. Secure the data

Take immediate action to stop ongoing unauthorized access to prevent further access. That might involve shutting down affected systems or changing access controls. Disable compromised user accounts and reset passwords to prevent further unauthorized entry. Secure any involved physical records by retrieving and storing them in a locked and secure location. Enhance security measures by implementing temporary or permanent solutions to protect against further breaches, such as enhancing network security or encrypting data.

Related: What happens to your data when it is encrypted?

3. Evaluate the need for notification

Assess whether the breach meets the criteria for notification under HIPAA rules by considering factors such as the type and amount of PHI involved and the likelihood of misuse. If notification is required, inform affected individuals as soon as possible but no later than 60 days from when you discovered the breach. The notification should include details about the breach, what information was involved, and steps they can take to protect themselves, such as monitoring their credit reports. Report the breach to HHS. If the breach affects more than 500 individuals in a specific state or jurisdiction, notify prominent media outlets in that area within 60 days to ensure affected individuals who are unaware of the breach are informed.

4. Implement corrective actions

• Identify the root cause of the breach. Determine how it occurred, if it was due to human error, technological failure, or malicious activity, and address identified vulnerabilities to prevent recurrence.
• Improve security protocols by updating and enhancing data security measures, implementing encryption, access controls, and regular security audits.
• Develop policies for the secure disposal of PHI and the management of portable devices.
• Provide additional training to staff on HIPAA compliance and data security best practices. Regular training sessions can reinforce the importance of safeguarding PHI, emphasizing protocols for handling sensitive information and recognizing phishing attempts.
• Address technological vulnerabilities identified during the investigation by patching software, updating firewalls, or replacing outdated systems. Implement regular system monitoring to detect and respond to threats promptly.
  
  

FAQs

What should I do if I accidentally send PHI to the wrong recipient?

If you accidentally send PHI to the wrong recipient, immediately notify your privacy officer or compliance team. They will guide you on the necessary steps to mitigate the breach, which may include asking the recipient to delete the information and confirming they have done so.

How can I prevent a HIPAA breach from occurring?

You can implement strong security measures such as encrypting data, using secure passwords, limiting access to PHI, and regularly training staff on HIPAA compliance and data security best practices to prevent a HIPAA breach. 

Are there penalties for failing to report a HIPAA breach?

Yes, failing to report a HIPAA breach can result in significant penalties, including fines and corrective action plans imposed by the Office for Civil Rights (OCR). Penalties vary based on the level of negligence and the harm caused by the breach.

Read more: What are the penalties for breaching HIPAA?